Signed Request Object Authentication Requirements

Issue #56 resolved
Axel Nennker created an issue


JWT Assertions have requirements that are not met by the Signed Request object. e.g. "The JWT MUST contain an "exp" (expiration time) claim"

Can we use the signed request object for Client Authentication in CIBA without meeting these requirements?

cheers Axel

Comments (6)

  1. Gonzalo Fernández

    I reckon that JWT assertions is nothing to do with Signed Request Object regarding this aspect. An assertion is something that you have got about or you know (self-issued) and you want to show it as a grant to get an access_token, so it needs to be valid only for an specific time. However the request object in spite of the fact that is a JWT that you can sign as well, it doesn't need to demonstrate that it is valid within a period of time.

  2. Axel Nennker reporter

    An administrator at the OP could steal the signed request object and use it to issue a fake CIBA authentication request impersonating the client. Limiting the lifetime of the authentication token reduces this risk.

    Coming from an OAuth2 world where client_secrets are good enough this does not add much security to rogue administrator scenarios but...

  3. Brian Campbell

    The CIBA signed authentication request now requires exp, iat, nbf, etc. and is used optionally in addition to regular client authentication when making a request to the backchannel authentication endpoint. I'm not completely sure what is being asked for in this ticket but it seems like that stuff maybe covers it.

  4. Log in to comment